Understanding the threat
Paul Davis puts the latest and more advanced malware life cycles under his microscope with a view to rapid response
Many companies today make the mistake of viewing the advanced persistent threat (APT) type of attack as a single incident consisting of exploit, infection and remediation stages. However, APT attacks are now co-ordinated efforts to establish a foothold for the purposes of cyber crime, cyber espionage or emerging cyber warfare scenarios.
Firms must understand that APT attacks take place within an overall infection life cycle. This allows us to grasp the importance of tackling the initial exploit before it has the opportunity to punch a hole in an organisation’s security defences and open a secure channel to send out data or introduce more malware.
Look at the now infamous Operation Aurora. Google was one of a handful of corporations that suffered this targeted malware attack. The initial exploit used an unknown, zero-day Internet Explorer 6 vulnerability to compromise specific systems. Attackers then installed and ran the executable code, and the trojan was communicated back to a command-and-control server that could send and receive various malicious commands and payloads.
These subsequently launched malware tools enabled the attackers to gather intelligence about the compromised network, with the aim of locating and extracting confidential data.
Advanced malware is designed for the long-term control of compromised machines. It often uses offensive tactics to disrupt client-based security, such as rewriting the Windows HOSTS file to disrupt antivirus updates, or resetting Microsoft security updates to manual. It can also establish outbound communications across several protocols to upload stolen data or to download instructions and further payloads.
Once command-and-control has been established, the organisation is susceptible to a range of damaging attacks, which include possibly allowing compromised machines to be sold to terrorist or politically motivated groups on the black market to conduct all manner of nefarious activities. And it becomes virtually impossible to analyse and block the content coming down the pipe, which is likely to be over an encrypted channel.
So the best approach to such attacks is to identify the original exploit and isolate it in such a way as to prevent it from unleashing the binary malware onto the network.
The web and email are the two leading threat vectors that are often used to infect systems and compromise networks. Websites and applications support user-contributed content, syndicated content, iFrames, third-party widgets or applets, and convoluted advertising distribution networks into which advanced malware can easily be injected somewhere along the line.
Social networks can enable criminals to design targeted spear phishing campaigns, luring victims into opening malicious attachments or clicking on infectious web links via email messages.
This malware, developed by criminals, is dynamic and stealthy, and it uses unknown vulnerabilities across a range of applications and communications protocols. Cyber criminals have developed advanced malware to bypass outdated security techniques.
Signature-based technologies such as IPS and antivirus software, both within perimeter and end-point solutions, are increasingly ineffective against rapidly evolving APTs. This is shown by the continued successful intrusions into commercial, government and educational networks.
Consequently, the channel and security vendors must teach organisations about the life cycle of this new breed of advanced malware. This will help them develop effective, long-term security strategies to protect their organisations against cyber attack.
Paul Davis is European director of operations FireEye